Hi Ondrej, It looks like made a mistake when testing my patch. It does in fact not fix the problem. I then did some more reading of the linux scriptures and it turns out PACKET_OUTGOING ("Out" in tcpdump) should actually be reliable so that meant that the "M" means that packet is actually coming in from the outside.
Lo and behold I had an unintentonal, but at glance harmless, vlan configuration on the switch both enp1s0 and enp2s0 are connected to. Essentially enp2 is untagged vlan 1 and enp1 is untagged vlan 4 and tagged vlan 1 on the switch side. When sending the (untagged) RA on enp2 then I would expect to receive this with a vlan 1 tag on enp1 which would have made it obvious what is going on, but no it was coming in untagged. Smells like a switch bug[1] to me or maybe I don't understand 802.1Q VLANs as well as I thought... Sorry for the noise. Thanks, --Daniel [1]: This is with a Brocade ICX 6450 running R08030u. Relevant config snippets: vlan 1 by port tagged ethe 1/1/1 1/1/3 router-interface ve 1 vlan 4 by port tagged ethe 1/1/1 1/1/3 interface ethernet 1/1/3 dual-mode 1 I can see untagged multicast going into 1/1/3 (enp2s0) coming out 1/1/1 as untagged despite 1/1/3 being in dual-mode. Interestingly this also happens for unicasts but only in one direction. If I add the enp1s0 lladdr to the neighbour table I can see pings through enp2s0 come in untagged on enp1s0, but the return seems to be filtered which is why ND doesn't work (remember: ND responses are sent as unicast). Here's to hoping affordable open Linux NOS switches to come onto the second hand market eventually...